Home Network Security Network Security Stanley 14.07.2025 5 min read What Is FQDN Split Tunneling? FQDN split tunneling is a method of configuring which domains will route through a VPN’s encrypted tunnel that uses fully qualified domain names instead of IP addresses. FQDN split tunneling is a powerful strategy that can reduce administrative burden, speed up VPN connections, and improve continuity. Stanley14.07.20255 min readTable of ContentsWhat Is FQDN Split Tunneling?Understanding Split TunnelingRole of SSL VPNs in Remote AccessThe Pros of FQDN Split TunnelingThe Cons of FQDN Split TunnelingConfiguring FQDN Split TunnelingMaximize Security with Check Point’s SASE Understanding Split Tunneling Most commonly, split tunneling is handled by an IP address. IT administrators will exclude certain IP addresses from accessing the VPN tunnel, forcing them to move through a different (split) channel. While this is a precise form of protecting a connection, it is also extremely labor-intensive to manage. Although there are tactics to speed up listing blocked IP addresses, administrators will normally have to group addresses in ranges. For instance: They may start with 3.7.35.0 Before then moving up to 3.7.35.1 And upward to 3.7.35.2 The simple fact that IP addresses can range across hundreds of specifics makes this a time-consuming pursuit. Plus, network administrators have to regularly update this list to: Remove old IP addresses Replace them with new ones that you want to block. Instead of using this laborious method of split tunneling, businesses are using FQDN split tunneling. As FQDNs contain an entire domain address, administrators can use them to rapidly block entire sources of connection from entering the VPN. If you want to exclude an entire FQDN from a specific company, you only need to use the wildcard ‘*’. For instance, you could block connections to Microsoft with *.microsoft.com, which would ensure all connections from this domain bypass your VPN. Role of SSL VPNs in Remote Access A secure sockets layer (SSL) VPN is another form of VPN that allows businesses to create secure VPN tunnels for any type of device. They’re most frequently used to access internal resources within a company’s network or to directly connect to enterprise apps. SSL VPNs use the transport layer security (TLS) protocol to encrypt connections, providing them with a highly secure and rapid method of creating an encrypted tunnel and facilitating connection. The exact version of the protocol will be whichever is currently on the device an employee is using. This is another reason to keep all devices updated to their latest software releases. The Pros of FQDN Split Tunneling There are a number of benefits of FQDN split tunneling that businesses and network administrators can take advantage of: Improve Performance for Sensitive Applications: When you exclude certain traffic from using your VPN tunnel, you save its bandwidth for the applications that need it. This can help to improve the performance of sensitive applications. Reduce IT Team Burden: While a team could, in theory, achieve the same function with either IP split tunneling or FQDN split tunneling, the core difference is that the former will take significantly more time. Decrease Lag Due to Intense Connections: Some applications will drain a large portion of your VPN traffic, like those that stem from video conferencing services like Zoom or Microsoft Teams. By using FQDN split tunneling to bypass these connections from your VPN, you’ll be able to ensure that your VPN remains accessible and functional at all times for other applications. The Cons of FQDN Split Tunneling There are also some cons of FQDN split tunneling that network administrators should be aware of: Consider Potential Exposure: If network administrators don’t carefully consider which connections they are bypassing around the VPN, they may accidentally expose company records that needed a higher level of security and were not sent through the VPN encryption channel. Monitor DNS Manipulation Strategies: There are some new cyber strategies that involve manipulating DNS addresses to redirect incoming traffic to alternative servers. Network admins should maintain awareness of new attack vectors listed on the MITRE ATT&CK Framework and ensure they use access controls on any admin accounts. Prepare for a Larger Initial Burden: While FQDN split tunneling is a less burdensome form of managing split tunneling, it does involve an initial setup process. Administrators will have to identify the current IP addresses they bypass, and allow and then change these into FQDN titles to ensure the system continues as planned. Some FQDN split tunneling systems will help prevent the first two of these cons from occurring by offering alternative monitoring and security systems for the denied stream of traffic. Supercharge Your Business Security Request Demo Start Now Configuring FQDN Split Tunneling In Harmony SASE, IT administrators can configure FQDN split tunneling from the Networks section. Steps to Configure FQDN Split Tunneling Navigate to Networks and select the specific network to modify. Access Split Tunneling Settings by clicking the “…” icon and selecting Split Tunneling. Enter the FQDNs and specify whether they should be included or excluded from the VPN tunnel. Manual vs. Automatic Configuration By default, split tunneling is inactive (Automatic mode), meaning all traffic routes through the VPN. To enable FQDN split tunneling, switch to Manual mode and define which FQDNs should be routed through or bypass the VPN. This approach optimizes resource allocation, network efficiency, and security. By implementing FQDN split tunneling, administrators gain better control over network traffic, ensuring improved performance and secure access management. Maximize Security with Check Point’s SASE A VPN is an integral part of effective cybersecurity network infrastructure and a tool that every business should be using. Especially if dealing with remote employees, a VPN is vital to keep connections safe and protect from data hijacking. FQDN split tunneling is the most effective way of enhancing your VPN connections, reducing administrative burden on IT teams, and keeping your employees safe. With Check Point’s SASE, you can easily configure your unique FQDN split tunneling rules in minutes. Alongside diverting unwanted traffic through alternative streams, Check Point’s SASE will also place additional layers of security upon bypassed traffic with Hybrid Internet Access, keeping all your connections as safe as possible. Get started today by requesting a demo. FAQ What’s the difference between FQDN split tunneling and application-based tunneling?FQDN split tunneling filters traffic based on domain names (e.g., *.zoom.us), while application-based tunneling uses application fingerprinting or metadata to determine what traffic should bypass the VPN. The former is more transparent and scalable across platforms, but app-based tunneling may be more precise in complex environments. Can FQDN split tunneling be used for regulatory compliance?Yes, selectively routing sensitive data through the VPN while excluding low-risk domains can help align with data residency and industry compliance frameworks. However, to meet audit requirements, organizations must log traffic and document exclusion rules thoroughly. Does FQDN split tunneling work with dynamic or CDN-based domains?FQDN split tunneling can handle wildcard domains (e.g., *.microsoft.com), but it may struggle with content delivery networks (CDNs) or services that use constantly changing subdomains. DNS caching and resolution controls are critical to ensure consistent behavior. How can DNS over HTTPS (DoH) affect FQDN split tunneling?DoH can encrypt DNS requests, hiding them from network-level tools that enforce FQDN policies. If devices use external DNS resolvers over HTTPS, the split tunneling engine might fail to detect which domains are being accessed. Admins should enforce corporate DNS usage to avoid this blind spot. What are signs your FQDN split tunneling is misconfigured?Common red flags include increased helpdesk tickets for connection failures, VPN bandwidth congestion despite exclusions, or unusual data access patterns. Continuous monitoring and feedback from end-users are essential to fine-tune and validate your tunnel policies. Do you have more questions? Let’s Book a Demo Related LinksAlways On VPNBusiness VPNDevSecOpsFirewall as a ServiceIPSECWhat Is The OSI Model?Wireguard VPNWhat is Zero Trust? Request Demo Start Now ComplianceHIPAAThe HIPAA Act is a federal law that requires the creation of national standards in order to protect sensitive patient health information Read more16 min readNetwork SecurityWhat is Zero Trust?Zero Trust provides employees with more secure access to resources, network, and applications based on user permissions, and authentication.Read more4 min readNetwork SecurityFirewall as a ServiceFirewall as a Service unifies traffic inspection and infiltration prevention for all your organization’s resources with one cloud-based firewall, and it is a crucial part of Perimeter 81’s Network as a Service platform.Read more8 min read Looking for a SASE Solution? Simplify your network security today with Check Point’s SASE. Request Demo Start Now
ComplianceHIPAAThe HIPAA Act is a federal law that requires the creation of national standards in order to protect sensitive patient health information Read more16 min read
Network SecurityWhat is Zero Trust?Zero Trust provides employees with more secure access to resources, network, and applications based on user permissions, and authentication.Read more4 min read
Network SecurityFirewall as a ServiceFirewall as a Service unifies traffic inspection and infiltration prevention for all your organization’s resources with one cloud-based firewall, and it is a crucial part of Perimeter 81’s Network as a Service platform.Read more8 min read
